Guarding Against 'Advanced Persistent Threat'

The unsatisfactory term "Advanced Persistent Threat" is shorthand for a decade-long program of coordinated attacks that originate mostly from China and try to exfiltrate corporate intellectual property. If your company has not been targeted, congratulations, but you need to be prepared.

I call the term APT "unsatisfactory" not only because it can mean different things when used by different security companies, government and military agencies, etc., but also because the intrusion techniques employed by state actors often are not very advanced.

Russian cybercriminals bent on self-enrichment employ advanced toolkits that may include zero-day vulnerabilities that are previously unknown and unpatched. But Chinese hacking teams are much more likely to rely on known vulnerabilities in conjunction with social engineering and spear phishing.

However, the "persistent" part of the term is accurate. APT intrusions may last for months or years. These are not one-shot hacks.

Cyberattacks have been with us as long as the Internet has, but until 10 to 12 years ago, they looked more like government-to-government espionage than deliberate attempts to exfiltrate private intellectual property. The attacks gradually broadened to target defense companies and then other critical industries, including energy, finance, and security. Here is a partial list of major APT activity over the past two years:

Security companies, the technical press, and lately the general press have increasingly pointed out circumstantial evidence that the Chinese government and/or military are behind most of the industrial espionage attacks. This drumbeat culminated late last year in a US government report naming China and Russia. The experts who worked on that report said in later interviews that as few as a dozen hacking groups appear to be behind most of the attacks.

Investigations indicate that the dozen or so Chinese teams get "taskings" to go after specific technologies or companies within a given industry. Sometimes two or more teams appear to get the same target list, and they then compete to be first or to get the most valuable trove of data.

China has always denied having anything to do with the attacks. Ironclad proof of its involvement will always be elusive, but the circumstantial evidence is mounting. For example, McAfee researchers found that the "Night Dragon" attackers were always active within a time window of 9:00 a.m. to 5:00 p.m. in the time zone that includes Beijing.

The security expert Bruce Schneier notes an important way the APT differs from more familiar threats, which tend to be motivated by either money or politics. When dealing with such attacks, what matters is your relative level of protection -- if you are more secure than 90 percent of your competitors, the traditional hackers will pass you by and go after them. When facing the APT, the absolute level of your protection needs to be up to snuff.

The Australian Defence Signals Directorate maintains a prioritized list of 35 APT mitigation strategies (though it calls the attacks "targeted cyber intrusions"). The Directorate estimates that 85 percent of APT attacks could be mitigated by the simple steps of consistent patching (of both operating systems and applications), application whitelisting, and reducing the number of users with administrative privileges. Implementing processes farther down the list -- data-loss prevention, user behavior analysis -- boosts your safety even more. The SANS Institute offers training in these and other advanced security techniques.

If your company has any involvement in national security or major global economic activities -- even peripherally -- you should expect to come under pervasive and continuous APT attacks that go after archives, document stores, intellectual property repositories, and other databases. Make sure your people and processes are up to the challenge.

re: if you are more secure than 90 percent of your competitors, the traditional hackers will pass you by and go after them.

There is a saying "You don't have to outrun the lion, you just have to outrun your friend."

@ Cassimir: I would like to learn more about adaptive security.

I did find this "Here's an example of how adaptive security works: A behavioral-based rule triggers IPS alerts

for multiple malformed packets. Instead of sounding an alarm immediately, the intrusion analysis system checks the most recent scanning results on the server under attack. Those results show the system is missing several recent patches. Passive traffic analysis reports then reveals that the server has been attempting to communicate with unusual ports on local systems. With this additional information, it becomes clear that the organization has a zero-day attack occurring inside its network" Source: http://www.sans.org/reading_room/analysts_program/adaptiveSec_Dec08.pdf

The adaptive security idea is taking hold now. Even the anti-virus folks are coming to understand that scanning however many fixed signatures is not going to do it for the emerging threats (and for some that are here already). Ideally you would like to let in the attacker onlly to the walled-off "lobby," but even if the attack penetrates to live systems, it could still be desirable to watch and record -- as opposed to pulling the plug on the invaded system, alerting the attacker that he has been "made."

A couple of years ago I interviewed a security expert and he said that companies should not depend entirely on perimeter security -- the well protected fortress. They should look at adaptive security where the system allows the attack in to spoofed areas of the system to study its behavior. The theory is the more we learn about the threats the more we force the attackers to upgrade. Adaptive security would complement the fortress but we should know the enemy better by inviting him into the lobby to "play." I wish I could remember the name of the company, but the idea seemed reasonable to me. Or maybe it appealed to the writer rather than the techie in me.

Oh, yes, those military preparations have gotten a good deal of attention, as have the risk of terrorists using this as a very potent weapon. It may be a bigger threat than biological attacks or even nuclear attacks given that it doesn't require physical delivery of a weapon. Like many military leaders, I'm a big fan of diplomacy as a means to avoid catastrophe. This is clearly a threat to the entire notion of sovereignty, which has been the cornerstone of diplomacy for many centuries.

Tom — all of the scenarios you mention and more have been discussed in military and political circles since the time of the Bush administration. An Air Force unit has been chartered with defending against, and potentially waging, "cyberwar." The very term is repugnant to many in the security community, but it is in widespread use in military circles. There is open talk of going offensive, and comparisons of the assumed offensive cyberwar capabilities of various nations. The elephant in the room is that ironclad attribution for the sorts of intrusions represented by the APT is essentially impossible. For example, any and all of the circumstantial traces pointing to Chinese agency for the intrusions could be faked by another state-sponsored actor. It would be a huge undertaking, but is by no means impossible. This fact underpins the denials the Chinese continue to issue.

At what point, I wonder, do nations start to clash - not just talk - on this on a public, diplomatic level. Although it may be difficult to prove who is doing what to whom, it seems that it would be prudent to create a harsh system for dealing with this. And on a military level, this truly looks like it could be the future to warfare. What's going on now look like the digital equivalent of war games; a real confrontation could destroy much of a country's business infrastructure controlling banks, utilities, transportation system. Imagine waking up in the morning and finding out all records of your money are gone, there's no power or water, and it's hard to get anywhere from anywhere. The idea of destroying chemical plants or other industrial tartets is too horrible to contemplate.

Here's the Christian Science Monitor on the US government report: "Operation Aurora was a coordinated attack on the intellectual property of several thousand companies in the United States and Europe -- including Morgan Stanley, Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical, and many others. Intellectual property is the stuff that makes Google and other firms tick."

"Aurora" is what Google and other investigators named the broad attack of which the Google hacking was a part. The affair reached the level of US Secretary of State Hillary Rodham Clinton caling out the Chinese (who denied all). It resulted in Google's withdrawal of their site from the mainland.

Network World has an article on what various people and groups mean when they say "Advanced Persistent Threat," and the origins of the term. Here's one security analyst from HBGary: "The Air Force and DoD latched onto it as a nice way to not have to keep saying 'Chinese state-sponsored threat.' We should stop pretending it's not that... [APT is] the Chinese government's state-sponsored espionage that's been going on for 20 years. Let's just call it, 'Everything that matters to the state of China's global expansion.'"

Note that HBGary, which had many government security contracts, was hacked by Anonymous last year and all but destroyed.

The other explanation for chinese hacks could be corporate espionage like mentioned in the blog. It is well known that China is world's largest producer of counterfeit goods. But their counterfeit goods are always on point. They answer specific needs in a timely fashion and precise to different markets. Could be the need for this kind of accuracy that drives hacking for information.